New Chinese Cyber Law?

China has enacted a new law in which personal information collected or generated must be stored in China. Therefore, any foreign company working in China must have their information stored within China.

Such a policy creates a segregation within the world, in which information stored in China will be separated from the rest of the world. Furthermore, such a concept has an extreme impact on any multinational company doing any sort of work in China. Companies in general, are constantly sharing data across borders, and such a law will inhibit foreign companies from doing online business with China.

If this isn’t enough to make foreign companies second-guess themselves, the law itself is written in vague terms. The law, which states “critical information infrastructure” must be contained within China. However, this leads to extreme interpretation as to what this critical information is.

I believe this enactment of a law is a large step backwards with China and foreign businesses. China already does not like foreign businesses within China, as we see with Facebook and other websites that are, by and large, not allowed within China’s networks.

-Tim Zabel



Microsoft and Zero-Day Flaws

On September 13th, Microsoft was forced to fix seven critical security flaws that could be remotely exploited. These updates went out to the latest versions of Microsoft Windows, Office, and Explorer. However, if you use the older versions of these products, you will not see any security updates. Those using older versions of the software are dramatically at risk for exploitation of their systems.

Furthermore, another one of these flaws being fixed is a zero-day vulnerability that has been exploited for over two years. This specific vulnerability exists in the IE and Edge browsers, in which malvertising groups such as AdGholas and GooNky have been exploiting. This flaw was brought to attention by a French security researcher in 2015 by the name of Kafeine, who alerted Microsoft to the situation. The interesting scenario is that these malvertising groups have been exploiting these non-critical bugs and low-level vulnerabilities for over two years, serving malvertising to up to five million users per day.

These groups have apparently been staying off the radar by hiding their attack code in plain sight, such as inside an image file, by using a practice called steganography.

To nobody’s surprise, more Adobe flaws have been found. On September 13th, Adobe released more security updates to fix flaws found in Adobe Flash, AIR, and Adobe Digital Editions, an e-book viewer. The number of critical flaws in Flash that have been discovered and fixed in the recent years is staggering, which leads many companies to abandon Flash support in their browsers. The vulnerabilities fixed on the 13th patched code that could potentially allow an attacker to gain control of a system. Many companies are recommending that you uninstall flash, and use a browser, like Chrome, which does not support Adobe Flash.


Author: Tim Zabel, Rochester Institute of Technology